Organizations Surrendering Control of Sensitive Data in The Cloud: Survey

As organizations shift towards the cloud to store and transfer sensitive and confidential information, there are some disagreements over who was in charge of protecting the data, according to a recent report.

Nearly half, or 49 percent, organizations already transfer sensitive and confidential data into the cloud, and 30 percent are planning to do so within the next two years, according to the "Encryption in the Cloud" report from Ponemon Institute released today. The report surveyed 4,000 business and IT managers in seven countries and the responses were fairly consistent across the board. German companies were more likely to transfer sensitive or confidential data, and French and Japanese companies were less likely to do so, the report found. The US was right in the middle, at 50 percent.

A little over a third, or 39 percent, of the business and IT managers surveyed believed cloud adoption had made their company less secure. While that number sounds alarming, 44 percent said using cloud services has not affected the organization's security posture, the report found. Only 10 percent of the survey respondents felt moving the data to the cloud resulted in the organization being more secure, according to the report.

"Once again we see that economics seems to trump security," Richard Moulds, vice president of product management and strategy at Thales Information Systems Security, wrote on the Key Management blog. Thales commissioned the Ponemon report.

However, the survey seemed to indicate that organizations with strong security postures were the ones actually moving the sensitive data to the cloud while those with weaker security focus have not yet made the shift, Moulds said. It appears that organizations who understand the security risks of being in the cloud are more likely to take advantage of the business benefits of the cloud, which "sounds quite comforting," Moulds said.

There was some disagreement over who was responsible for protecting the data. A little less than half, or 44 percent, of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment, compared to 30 percent who thought the responsibility lay with the customer. A quarter believed the responsibility should be shared.

Only half of those that expected the provider to protect the data believed the cloud provider was actually capable of doing so. That was "not surprising" when nearly two thirds said admitted they had no idea what the cloud providers are actually doing to protect the data, Moulds said.

About 38 percent said the organization encrypts the data during transit to the provider's environment, compared to 35 percent who performed the encryption first before initiating the transfer, the report found. About 27 percent relied on the cloud provider to encrypt the data.

"Regardless of where encryption is deployed the net security is still driven by the measures that are put in place to protect and control the keys," Moulds said.

Overall, 36 percent of the respondents said the organization retained control of the encryption keys, compared to 22 percent who said the cloud provider had control. Another 22 percent used a third-party service other than the cloud provider to manage the keys. It was surprising that of the organizations that encrypted the data in-house before transferring the data, only 32 percent retained control of the keys, Moulds said. Nearly 44 percent relied on a third-party service, according to the report.

Organizations need effective key management that is integrated with existing IT business processes, Moulds said. Regardless of where the data is stored, the organization needs to retain control.

"Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data,” Moulds said in a statement.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.